ClawHub
Back to skill

Security audit

remote-chrome

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it exposes a live browser session and its access credentials in ways users should review carefully before installing.

Install only if you intentionally need a remotely controllable Chrome session. Keep ports 5900, 6080, and especially 9222 off the public internet; prefer localhost, SSH tunnels, VPNs, or strict firewall allowlists. Treat the noVNC URL and printed VNC password as secrets, avoid sharing status output or screenshots, and stop the service when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The examples explicitly advertise a remotely reachable Chrome DevTools endpoint (`http://10.37.225.235:9222`) in a skill whose stated purpose is GUI access via VNC/web. Exposing remote debugging materially expands control over the browser beyond simple viewing/interaction and can enable deep browser inspection and automation if reachable, especially when combined with a service already bound to network-accessible interfaces.

Description-Behavior Mismatch

Low
Confidence
81% confidence
Finding
The status output includes live tab titles and URLs, which goes beyond service lifecycle management and leaks potentially sensitive browsing activity. In a remote browser context, this can disclose user intent, internal URLs, tokens in query strings, or other confidential session information to anyone who can invoke status or view logs.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script exposes Chrome's remote debugging interface on a network port even though the skill description only promises browser access via VNC/noVNC. Chrome DevTools remote debugging can allow powerful browser control, page inspection, cookie/session access, and automation by any reachable client, making this a material expansion of capability and attack surface.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The generated noVNC URL includes the VNC password as a query parameter, which can leak via terminal history, logs, screenshots, browser history, referrer headers, and process monitoring. Embedding credentials directly in URLs weakens the protection provided by the generated password and makes accidental disclosure much more likely.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The status script goes beyond reporting service health and actively discloses highly sensitive data: the VNC password in plaintext, a fully authenticated noVNC URL containing that password, and Chrome tab titles/URLs. Anyone with access to the script output, logs, terminal history, or captured console output can gain remote GUI access to the browser session and learn browsing activity. In the context of a remote browser service, this materially increases the chance of session takeover and privacy leakage.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The function queries Chrome's remote debugging endpoint and retrieves tab metadata, which exposes browsing session contents unrelated to simple service-status reporting. Tab titles and URLs may contain sensitive information such as internal apps, documents, tokens in URLs, or user activity, creating unnecessary privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation advertises direct access endpoints for web VNC, raw VNC, and Chrome remote debugging without prominent warnings about exposure, authentication, network binding, or trust boundaries. In this skill context, that is especially dangerous because these services can expose a live GUI session, browser state, cookies, and full browser control to anyone who can reach the ports.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly instructs users to open VNC, noVNC, and Chrome DevTools ports to other machines and provides direct access URLs, including one that embeds the VNC password in the query string. Exposing these services remotely is dangerous because Chrome DevTools can enable full browser/session control, and VNC/noVNC exposure increases the attack surface for unauthorized access, especially since the doc lacks strong warnings to restrict access to localhost, VPN, SSH tunneling, or firewall allowlists.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples show full remote-access URLs and VNC passwords inline, and elsewhere also reference debugging endpoints, without warning that these values grant access to a live remote browser session. In documentation and sample outputs, this normalizes disclosure of secrets and may lead users or downstream tooling to log, paste, or share credentials and session endpoints insecurely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script starts VNC, noVNC, and Chrome remote debugging services and advertises network-accessible endpoints without clearly warning that they may be reachable by other hosts. In this skill context, the service is specifically intended to expose a remote browser, so lack of explicit risk disclosure and safe defaults increases the chance of users unintentionally exposing a controllable browser session to their network.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes the generated VNC password to a predictable file in /tmp so that another script can read it, but it does not warn the user that a credential is being persisted on disk. Even with mode 600, storing secrets in a shared temporary directory increases exposure to accidental disclosure, stale secret reuse, and mishandling by other local processes or users with elevated access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script reads the VNC password from disk and prints it directly to the terminal, also embedding it into the generated noVNC URL. This can expose the credential through terminal logs, shell recording, CI logs, screenshots, scrollback, or any user with access to the console, enabling unauthorized access to the remote desktop session.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script contacts Chrome's debugging API and later prints tab titles and URLs without warning, exposing user browsing data that may include sensitive internal resources or personal activity. A status command is likely to be run routinely, so this behavior increases the likelihood of accidental disclosure to logs or observers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal